b"March 31, 2009\n\nTHOMAS G. DAY\nSENIOR VICE PRESIDENT, INTELLIGENT MAIL AND ADDRESS QUALITY\n\nROSS PHILO\nEXECUTIVE VICE PRESIDENT, CHIEF INFORMATION OFFICER\n\nSUBJECT: Audit Report \xe2\x80\x93 Intelligent Mail Barcode Project Planning and Application\n         Development Life Cycle (Report Number IS-AR-09-006)\n\nThis report presents the results of our audit of Intelligent Mail\xc2\xae Barcode (IMB) Project\nPlanning and Application Development Life Cycle (Project Number 08RG029IS000).\nThe report is the result of a self-initiated audit, which addresses operational risk. See\nAppendix A for additional information about this audit.\n\nConclusion\n\nThe U.S. Postal Service was not aware of the significant complexities and extensive\nrequirements needed for the IMB Full Service-Seamless Acceptance Service\nPerformance (SASP) Release 1 application when funding was obtained for\ndevelopment and when project milestones were established. As a result, delays\noccurred in the design and build, and test schedules have been compressed. A more\nincremental approach to managing such a complex project could help ensure clearer\nexpectations for the project and a better estimate of required resources and project\nmilestones. Additionally, better business requirements management could enhance\nmailer community acceptance of the IMB Full Service-SASP application and maintain\ncustomer faith in the Postal Service brand. We will report the non-monetary impact\n(preserving the integrity of the Postal Service brand) in our Semiannual Report to\nCongress.\n\nxxxxxxxxxx xxx xxxx xxx xxx xxxxxxxxx xxxx xx xxx xxxxxxxx xxxxxxxxxxxxx xxx xxxx\nxxxxxxxxxxx. Because data that is sensitive to key Postal Service customers will be\nprocessed through this application, it is critical to ensure that security is thoroughly\naddressed. Management needs to ensure the Information Systems Security\nRepresentative (ISSR) is engaged in the application development life cycle and the\nCertification and Accreditation (C&A) process is completed and all residual risks\nidentified before deploying the IMB Full Service-SASP Release 1 application. Resolving\n\x0cIntelligent Mail Barcode Project Planning                                                  IS-AR-09-006\n and Application Development Life Cycle\n\n\nthese issues could provide assurance that all risks and mitigation alternatives have\nbeen thoroughly considered, formally documented, and diligently pursued.\n\nDelays in Finalizing Application Requirements\n\nExtensive business requirements were needed to develop the IMB Full Service-SASP\napplication; however, management did not anticipate the amount of time needed to\ndevelop and integrate these requirements with the IMB Full Service-SASP Release 1\napplication. For example:\n\n\xe2\x80\xa2   The initial business requirements (dated August 16, 2007) consisted of\n    approximately 200 pages, but grew to 5,000 pages as management made significant\n    changes in scope and revised and added requirements for the 59 systems that\n    interface with the IMB application.\n\n\xe2\x80\xa2   The design and build phases were scheduled to start on August 11 and\n    October 1, 2008, respectively; however, delays in finalizing requirements resulted in\n    these phases not starting until October 1 and November 17, 2008. The Executive\n    Sponsor did not finalize and approve the requirements until February 23, 2009.\n\nThe Postal Service did not recognize the scope and complexity of developing an\ninformation resource of this magnitude. The original Decision Analysis Report (DAR),\ndated October 15, 2007, went through six revisions before the Board of Governors\napproved it in July 2008. Although the scope of the project was established in this DAR,\ndevelopment of the detailed requirements was not started until after the DAR was\napproved and funded. Critical complexities were identified during this detailed\nrequirements development effort. In addition, the Postal Service maintained separate\nbusiness and Information Technology (IT) project plans until December 8, 2008 \xe2\x80\x94\n5 months prior to the scheduled application deployment \xe2\x80\x94 when a unified project\nmanagement plan was established.\n\nAs a result, the Sales and Marketing Business Systems Portfolio is working under a\ncompressed time schedule (24 hours a day, 7 days a week) to meet the existing project\nmilestones. For example, management indicated that System Integration Tests (SIT)1\ncommenced the week of March 2, 2009, and will finish in 4 weeks as opposed to the\n6 weeks originally planned. Additionally, some key features planned for the first release\nof the project have been deferred to future releases. By implementing effective\nbusiness requirements management, the Postal Service could help ensure mailer\ncommunity acceptance of the IMB Full Service-SASP application and maintain\ncustomer faith in the Postal Service brand. See Appendix B for our detailed analysis of\nthis topic.\n\n\n1\n SIT validate that the technology solution and its features conform to requirements and design specifications.\nCustomer Acceptance Tests (CAT) ensure the technology solution satisfies the documented requirements and the\ncustomer approves it. According to management, CAT is scheduled to begin in early April 2009.\n\n\n\n\n                                                        2\n\x0cIntelligent Mail Barcode Project Planning                                               IS-AR-09-006\n and Application Development Life Cycle\n\n\nWe recommend the Senior Vice President, Intelligent Mail and Address Quality, direct\nthe Vice President, Business Mail Entry and Payment Technologies, to:\n\n1. Establish an incremental approach for approval and funding for future project\n   releases to ensure adequate time is allotted in the project milestones for the design,\n   build, and test phases.\n\nInformation Security in the Application Development Process\n\nThe Executive Sponsor did not formally appoint an ISSR for the IMB Full Service-SASP\napplication because he was not aware of the policy requirement.2 One of the\nresponsibilities of the ISSR is to notify the Executive Sponsor, Portfolio Manager, and\nInformation System Security Officer (ISSO) of any additional security risks or concerns\nthat emerge during development or acquisition of the information resource. The ISSR\xe2\x80\x99s\ninvolvement during the application development life cycle process could decrease the\nrisk of security threats and vulnerabilities to confidential and proprietary data.\n\nCorporate Information Security finalized and approved the Business Impact Assessment\n(BIA) on January 30, 2009; however, as of March 9, 2009, other key Technology\nSolution Life Cycle (TSLC)3 documentation, such as the Security Plan, Risk\nAssessment, Security Test and Evaluation Plan, and SIT and CAT plans, had not been\ndeveloped and finalized for the IMB Full Service-SASP Release 1 application as\nrequired by policy4 and the C&A process. Management had not finalized these\ndocuments because delays occurred with finalizing the business requirements and, as a\nresult, the ISSO was reassigned to other projects between July and October 2008.\nAccording to management, they plan to complete all TSLC documentation prior to the\nMay 11, 2009, deployment of the application.\n\nPolicy5 requires management to conduct the C&A process concurrently with the\ndevelopment of new applications. Without a completed C&A, management has no\nassurance that all risks and mitigation alternatives have been thoroughly considered,\nformally documented, and diligently pursued. Security for this application is critical to\nmaintain mailer confidence in the Postal Service\xe2\x80\x99s protection of the business sensitive\ndata that will reside in this system. See Appendix B for our detailed analysis of this\ntopic.\n\n\n\n\n2\n  Handbook AS-805, Information Security \xe2\x80\x93 Draft (dated January 5, 2008), Chapter 2, Security Roles and\nResponsibilities, Section 2-2.10, Executive Sponsors.\n3\n  Handbook AS-805, Chapter 8, Development and Operations Security, Section 8-1, Policy.\n4\n  Handbook AS-805, Chapter 8, Development and Operations Security, Section 8.5, Information Resource C&A,\nExhibit 8.5.\n5\n  Handbook AS-805, Chapter 8, Development and Operations Security, Section 8-4.1, What the C&A Process\nCovers.\n\n\n\n\n                                                      3\n\x0cIntelligent Mail Barcode Project Planning                              IS-AR-09-006\n and Application Development Life Cycle\n\n\nWe recommend the Senior Vice President, Intelligent Mail and Address Quality, and\nExecutive Vice President, Chief Information Officer, direct the Vice President, Business\nMail Entry and Payment Technologies, the Manager, Corporate Information Technology\nPortfolios, and the Manager, Corporate Information Security, to:\n\n2. Formally appoint an Information Systems Security Representative, in writing, and\n   ensure they are fully engaged in the business requirements throughout the life cycle\n   of the Intelligent Mail Barcode Full Service-Seamless Acceptance Service\n   Performance application, and document their participation and concurrence on\n   security matters.\n\n3. Ensure the Certification and Accreditation process is completed and all residual risks\n   are identified and mitigated before deploying the Intelligent Mail Barcode Full\n   Service-Seamless Acceptance Service Performance Release 1 application.\n\nManagement\xe2\x80\x99s Comments\n\nManagement generally agreed with the findings, but did not comment on the non-\nmonetary impact. They also agreed with recommendations 1 and 2, and partially\nagreed with recommendation 3. They recognize the desirable aspects of establishing\nan incremental approach for approval and funding to ensure adequate time is allotted in\nthe project milestones for the design, build, and test phases for future releases.\nAccording to management, they have implemented this approach to ensure a less\ncompressed schedule for the implementation of Release 2, and to the extent there will\nbe a Release 3. Further, management has assigned an ISSR to this program and will\nensure the appointment is documented in writing, and their participation and\nconcurrence reflected, as required, in the official TSLC and C&A process documents by\nMay 11, 2009. Finally, they will ensure the C&A process is completed and all residual\nrisks identified. xxxxxxx, xxxxxxxxx xxxx xxx xxxxxx xx xxx xxxxxxxx xxxxx, xxxxxxxxxx\nxxxx xxxxxxxxx xx xxx xxxxxxxxxxx xxxx xxxxxx xx xxxxxxxxxx xxxxx xxx xxxxxxxxx xxx\nxxxxxxx xxxxxxxxxx xxx xxxxxxxxx xxxxx xxxxxx xx xxxxxxxxxx xxxxxxxxx. See\nAppendix C for management\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U.S. Postal Service Office of Inspector General (OIG) considers management\xe2\x80\x99s\ncomments responsive to the recommendations and corrective actions should resolve\nthe issues identified in the report.\n\nThe OIG considers all the recommendations significant, and therefore requires OIG\nconcurrence before closure. Consequently, the OIG requests written confirmation when\ncorrective actions are completed. These recommendations should not be closed in the\nPostal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation\nthat the recommendations can be closed. We will report the non-monetary impact\n\n\n\n\n                                            4\n\x0cIntelligent Mail Barcode Project Planning                              IS-AR-09-006\n and Application Development Life Cycle\n\n\n(preserving the integrity of the Postal Service brand) in our Semiannual Report to\nCongress.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Frances E. Cain, Director,\nInformation Systems, or me at (703) 248-2100.\n\n   E-Signed by Tammy Whitcomb\n VERIFY authenticity with ApproveIt\n\n\n\n\nTammy L. Whitcomb\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\ncc:     George W. Wright\n        Pritha N. Mehra\n        Harold E. Stark\n        John T. Edgar\n        Robert E. Dixon Jr.\n        Katherine S. Banks\n\n\n\n\n                                            5\n\x0cIntelligent Mail Barcode Project Planning                                                  IS-AR-09-006\n and Application Development Life Cycle\n\n\n                               APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nThe Senior Vice President, Intelligent Mail and Address Quality, is the executive\nsponsor for the IMB project. Intelligent Mail is a comprehensive term that describes the\nintegration of electronic mailing documentation \xe2\x80\x93 intelligent barcodes on all mail and\ncontainers \xe2\x80\x93 and scans to track mail at all points in the delivery process. With Intelligent\nMail, the Postal Service plans to transform the value of mail by helping customers\nmanage business processes, track cash flows, and build and maintain customer\nrelationships. According to the Postal Service, Intelligent Mail will allow customers to\ntrack mail as it moves through the mail stream. Data concerning mail movement will be\navailable through every point in the delivery process. For example, mailers and the\nPostal Service will know when advertising pieces are delivered, when customer\nremittances are mailed, and when problems such as inaccurate addressing or\nunreadable barcodes need correction.\n\nThe Postal Service currently has a DAR, which includes $63.9 million in capital funding,\nto create an infrastructure that will facilitate the 2009 IMB deployment, support the\nService Performance Measurement requirements of the 2006 Postal Accountability and\nEnhancement Act, and automate several business mail verification activities.6 The\nPostal Service is currently working to deploy the Full Service-SASP Release 1\napplication by an established deadline of May 11, 2009. The Sales and Marketing\nBusiness Systems Portfolio has developed a project plan that includes project tasks for\ncompleting items under the DAR. In addition, the deadline is tied to the May 2009 rate\nincrease and has been communicated to the mailer community.\n\nC&A is a formal review process that ensures adequate security is incorporated during\neach phase of the project life cycle. The C&A process is required for each information\nresource \xe2\x80\x93 application or infrastructure component \xe2\x80\x93 and consists of seven interrelated\nphases that are conducted concurrently with the development and deployment of new\ninformation resources. The objectives of the C&A are to assess threats, define security\nrequirements and controls, test security solutions, and evaluate the security controls\nand processes chosen to protect the information resource.\n\nInformation security must be an integral part of the system development life cycle\nwhether development is done in house, acquired, or outsourced. All development,\nacquisition, or integration projects for information resources must follow the TSLC\nprocess or other approved systems development life cycle methodology. The TSLC\nphases will have corresponding security activities that must be performed to maintain a\nsecure environment and comply with Postal Service policies and legal requirements.\nThe table below shows the TSLC phases and a brief description of each.\n\n\n6\n The Postal Service recently announced this DAR is being revised to cover only hardware and software for releases\n1 and 2 of Full Service-SASP. Any future releases for additional functionality would be covered under a new DAR.\n\n\n\n\n                                                        6\n\x0cIntelligent Mail Barcode Project Planning                                                IS-AR-09-006\n and Application Development Life Cycle\n\n\n                                        Table 1: TSLC Phases\n\n              TSLC Phases                                      Description\n                                      Defines the high-level business needs and high-level project\n             Initiate and Plan                                     plan.\n                                      Identifies and documents business requirements needed to\n              Requirements                           develop the technology solution.\n                                      Creates the technology design (application, security, etc.) for\n           Analysis and Design                     developing the technology solution.\n                                        Includes the development of the technology components\n                   Build                            specified in the design document.\n                                      Validate the technology solution and its features conform to\n                    SIT                               the requirements and design.\n                                         Ensure the technology solution satisfies the customer\xe2\x80\x99s\n                   CAT                                 documented requirements.\n                                          Ensures that pre-implementation tasks are defined, IT\n                                          change management is followed correctly, and post-\n          Release Management                       implementation steps are executed.\n\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to determine if management is administering the IMB IT project\nplanning and application development life cycle in an effective and efficient manner.7\nTo accomplish our objective, we reviewed IMB documentation, policies and procedures,\nand interviewed key officials representing Business Mail Entry and Payment\nTechnologies, Corporate IT Portfolios, and Corporate Information Security. We also\nreviewed the Sales and Marketing Business System Portfolio\xe2\x80\x99s application development\nlife cycle process used for deploying the application and examined other materials\ndeemed necessary to accomplish our objective. The Full Service-SASP Release 1\napplication documentation we reviewed included project management plans, business\nrequirements, project change control procedures, and security requirements. Finally,\nwe reviewed the TSLC process to determine if key C&A documentation was developed\nand finalized for Release 1 of the Full Service-SASP application.\n\nWe conducted this performance audit from September 2008 through March 2009 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objective. We assessed the reliability\nof computer-generated data supporting the auditing findings and concluded the data\nwas sufficiently reliable to meet our audit objective. We discussed our observations and\n\n7\n  Concurrent with this project, a separate OIG project, Intelligent Mail/Seamless Acceptance Project Management\n(Report Number MS-AR-09-006, dated March 31, 2009) was being conducted to focus on the project management of\nthe overall Full Service-SASP project.\n\n\n\n\n                                                       7\n\x0c  Intelligent Mail Barcode Project Planning                                 IS-AR-09-006\n   and Application Development Life Cycle\n\n\n  conclusions with management officials on March 9, 2009, and included their comments\n  where appropriate.\n\n  PRIOR AUDIT COVERAGE\n\n                      Report                  Final Report   Monetary\nReport Title          Number                      Date        Impact       Report Results\nIntelligent        DA-AR-06-001          December 22, 2005     None     The Postal Service\xe2\x80\x99s\nMail Data                                                               initial requirement for\nAcquisition                                                             Intelligent Mail Device\nSystem                                                                  units was reasonable\n                                                                        and a competitive vendor\n                                                                        solution and shared\n                                                                        order strategy allowed for\n                                                                        cost-effective unit prices\n                                                                        and discounts. However,\n                                                                        the OIG expressed\n                                                                        concern with possible\n                                                                        higher maintenance\n                                                                        costs if deployment was\n                                                                        delayed further.\nStatus of         DA-AR-08-005-R              May 28, 2008     None     The Postal Service has\nIntelligent                                                             successfully upgraded\nMail Enabling                                                           key mail processing\nInfrastructure                                                          equipment and 300\n                                                                        Postal Service facilities\n                                                                        with additional network\n                                                                        capacity. However,\n                                                                        clarification of\n                                                                        requirements was\n                                                                        needed to ensure\n                                                                        material handling\n                                                                        systems fully support\n                                                                        future Intelligent Mail\n                                                                        programs.\n\n\n\n\n                                                      8\n\x0cIntelligent Mail Barcode Project Planning                               IS-AR-09-006\n and Application Development Life Cycle\n\n\n                              APPENDIX B: DETAILED ANALYSIS\n\nDelays in Finalizing Application Requirements\n\nThe Postal Service began developing IMB requirements on August 16, 2007, with a\nconceptual document totaling approximately 200 pages. Although the initial DAR was\ndeveloped October 15, 2007, this document went through six revisions before the Board\nof Governors approved it in July 2008. The conceptual scope of the project was\nestablished in this DAR; however, development of the detailed requirements was not\nstarted until after the DAR was approved and funded.\n\nCritical complexities were identified during this detailed requirements development\nprocess. For example, the Postal Service determined the IMB project would impact 59\ndifferent systems. Due to the scope and complexity of the project, requirements\nincreased by 40 percent, and 70 percent of the original specifications required updates.\nThis resulted in the expansion of functionalities and increased requirements\ndocumentation to about 5,000 pages.\n\nAlso, the original DAR was intended to cover four IMB releases; however, the Postal\nService recently announced they will revise the original DAR to cover only hardware\nand software required for Releases 1 and 2. Any future releases with additional\nfunctionality would be covered by a new DAR.\n\nAccording to the July 14, 2008, Full Service Management Review Meeting document,\nthe application design and build phases were scheduled to start on August 11 and\nOctober 1, 2008, respectively. However, the actual start for these phases did not occur\nuntil October 1 and November 17, 2008, due to delays in approving the DAR and the\nrequirements. Additionally, the July 14, 2008, document indicated the requirements\nwere to be completed by August 8, 2008. However, the Executive Sponsor did not\nfinalize and approve the requirements until February 23, 2009.\n\nFinally, the Sales and Marketing Business Systems Portfolio is working under a much\nshorter time schedule to meet the existing milestones due to the delay in finalizing the\nrequirements. SIT and CAT schedules were initially compressed from 6 weeks to\n5 weeks, and significant overlap now exists between the two test phases. While some\noverlap is manageable, SIT testing should be substantially completed before CAT\ncommences. Additionally, testing and addressing test results for such a complex\napplication involving 59 systems in a 5-week period will likely be extremely challenging.\nDuring our exit conference, management indicated that SIT and CAT have been further\ncompressed to 4 weeks each.\n\n\n\n\n                                            9\n\x0cIntelligent Mail Barcode Project Planning                                                  IS-AR-09-006\n and Application Development Life Cycle\n\n\nInformation Security in the Application Development Process\n\nInformation Security\n\nThe Executive Sponsor did not formally appoint an ISSR for the IMB Full Service-SASP\napplication because he was not aware of the policy requirement.\n\nISSR\n\nThe ISSRs are appointed, in writing, by the executive sponsor or the portfolio manager\nand are members of the information resource development or integration teams. The\nISSR responsibilities include:8\n\n    \xe2\x80\xa2   Promoting information security awareness on the project team.\n    \xe2\x80\xa2   Ensuring that security controls and processes are implemented.\n    \xe2\x80\xa2   Notifying the Executive Sponsor, Portfolio Manager, and ISSO of any additional\n        security risks or concerns that emerge during development or acquisition of the\n        information resource.\n    \xe2\x80\xa2   Developing or reviewing security-related documents required by the C&A\n        process as assigned by the Executive Sponsor.\n\nA contract employee was assigned as the ISSR for the IMB Full Service-SASP\napplication as noted on the draft BIA; however, the employee was not aware of these\nduties and responsibilities and was, in fact, incorrectly listed as the ISSR. Rather,\nmanagement advised us that the Manager, Sales and Marketing Business Systems\nPortfolio, would be performing the ISSR duties and responsibilities.\n\nISSO\n\nThe ISSO duties include escalating security concerns and forwarding C&A evaluation\nreports and supporting documentation to the certifier for review. Also, the ISSO may\nrecommend additional security requirements during the BIA process to better protect\nthe information resource against threats and vulnerabilities. The ISSO responsibilities\ninclude:9\n\n    \xe2\x80\xa2   Ensuring that a BIA is completed for each information resource.\n    \xe2\x80\xa2   Ensuring the responsible project manager records the sensitivity and criticality\n        designations in the xxxxxxxxxx xxxxxxxxxxx xxxxxxxxxx.\n    \xe2\x80\xa2   Advising and consulting with executive sponsors and portfolio managers during\n        the BIA process so they know the background for (1) baseline security\n        requirements that apply to all information resources and (2) the security\n\n8\n Handbook AS-805, Chapter 2, Security Roles and Responsibilities, Section 2-2.28, ISSRs.\n9\n Handbook AS-805, Chapter 2, Security Roles and Responsibilities, Section 2-2.29, Information Systems Security\nOfficers.\n\n\n\n\n                                                       10\n\x0cIntelligent Mail Barcode Project Planning                                                IS-AR-09-006\n and Application Development Life Cycle\n\n\n           requirements necessary to protect an information resource based on the\n           resource's sensitivity and criticality designation.\n\nThe former ISSO had minimal involvement during requirements development for the\nIMB Full Service-SASP application. In July 2008, the former ISSO was reassigned to\nother Sales and Marketing Business Systems Portfolio projects while management was\nwaiting for the Board of Governors to approve the DAR. A new ISSO was not appointed\nfor the Full Service-SASP until October 2008.\n\nThe Certification and Accreditation Process\n\nAlthough management finalized and approved the BIA on January 30, 2009, other key\nTSLC documentation, such as the Security Plan, Risk Assessment, Security Test and\nEvaluation Plan, and SIT and CAT plans, has not been developed and finalized for the\nIMB Full Service-SASP Release 1 application as required by policy and the C&A\nprocess. All final TSLC documentation for information resources must be uploaded to\nthe TSLC Artifacts Library on the Postal Service\xe2\x80\x99s website. However, we confirmed that\nthese items had not been posted on the TSLC website as required, and in fact, we\nnoted that the TSLC Artifacts Library for IMB Full Service-SASP was just created very\nrecently \xe2\x80\x93 on December 3, 2008. We could not even obtain these documents directly\nfrom program officials.\n\nxxx xxxxxx xxxxxxx xxx xxxxxx xxx xxx xxxx xxxxxxx-xxxx xxxxxxxxxxx xxxxxxx xxxxx\nxxxxxxxxxx xxx xxx xxxxxxx. xxxxxxx, xxxx xxxxxxxx xx xxx xxxxxxxxxxx, xxxx xx\nxxxxxxxxxx xxx xxx, xxxxxxxx xxxx, xxx xxxx xxxxxxxxxx xxxx, xx xxxxxxxx xx\nxxxxxxxxx xxx xxxxxxxx xxxx xxxxxxxxxx xxxx xxxxxxxxxx. Postal Service policy10\nstates that if the level of residual risk is not acceptable, management should implement\nfurther safeguards and security controls to reduce exposure to acceptable levels. The\nVice President of the functional business area and the Vice President, Information\nTechnology Operations, are jointly responsible for acknowledging and accepting, in\nwriting, the residual risks inherent with using that information resource or initiating steps\nto further mitigate the residual risk. xx xxxx xxxxxx xxxx xxx xxx xxxx xxxxxxx-xxxx\nxxxxxxxxxxx, xx xxx xxxxxxxxx xxxx xxx xxxxxx xxxxx xx xxxxxxxx xxxxxxx xxxx\nxxxxxxxxxxxxx xx xxx xxxxx xxx xxxx xxxxxxxxxxx xxxxxxxx xxxxxxxxxxxxxxx.\n\n\n\n\n10\n     Handbook AS-805, Chapter 4, Security Risk Management, Section 4-3, Information Resource Risk Management.\n\n\n\n\n                                                       11\n\x0cIntelligent Mail Barcode Project Planning                   IS-AR-09-006\n and Application Development Life Cycle\n\n\n                        APPENDIX C: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                            12\n\x0cIntelligent Mail Barcode Project Planning        IS-AR-09-006\n and Application Development Life Cycle\n\n\n\n\n                                            13\n\x0cIntelligent Mail Barcode Project Planning        IS-AR-09-006\n and Application Development Life Cycle\n\n\n\n\n                                            14\n\x0c"